Understanding the Rapid7 Vulnerability Integration

  • Release version: Yokohama
  • Updated January 30, 2025
  • 9 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Rapid7 Vulnerability Integration

    The ServiceNow Rapid7 Vulnerability Integration enables your instance to import and synchronize vulnerability data from Rapid7 products such as the Rapid7 data warehouse (on-premise) and Rapid7 InsightVM (cloud-based). This integration helps you prioritize and manage vulnerabilities by mapping them to configuration items (CIs) and services within ServiceNow Vulnerability Response. Data synchronization occurs via automated scheduled jobs, which keep your vulnerability records up to date and consistent with Rapid7 scans.

    Show full answer Show less

    This integration supports multiple Rapid7 deployments, consolidating assets and vulnerabilities into a unified view aligned with your CMDB. It is important to note that using both data warehouse and InsightVM sources simultaneously may cause duplicate records, but deduplication options are available when migrating.

    Key Features

    • Scheduled Jobs: Automated jobs import data in a defined sequence, with options for manual execution to maintain synchronization.
    • Multiple Integrations: Includes integrations for vulnerability data, asset lists, vulnerability categories, exploits, malware kits, references, solutions, and sites. This comprehensive approach enriches vulnerability data and supports end-to-end vulnerability lifecycle management.
    • Rapid7 InsightVM API Support: Provides API-based integrations for InsightVM data, including vulnerable items, assets, and sites, with scheduled imports and automatic closure of stale vulnerabilities.
    • CI Lookup Rules: Rules determine how imported vulnerabilities link to configuration items, enabling accurate mapping and effective remediation tracking.
    • Discovered Items Module: Lists assets identified during imports, aiding in visibility of scanned and unscanned assets with filtering capabilities.
    • Host Tags: Imported host tags from InsightVM support filtering and assignment in remediation tasks, ensuring precise targeting based on asset attributes.
    • Site Filtering: Allows categorization and filtering of assets by scan sites during data import, supporting organized vulnerability management aligned with scan scopes.
    • Reopening Resolved Vulnerable Items: Optionally reopens vulnerabilities marked "Resolved" but still detected in rescans after a configurable number of days, ensuring no vulnerabilities are overlooked.
    • CI Creation with Identification and Reconciliation Engine (IRE): Automatically creates new CIs when no match is found for imported hosts, enhancing CMDB completeness when paired with the CMDB CI Class Models plugin.
    • Rescan Initiation: Supports triggering rescans in Rapid7 to validate remediation status between scheduled scans.
    • Rapid7 Solution Management: Integrates Rapid7 vulnerability solutions into ServiceNow’s Vulnerability Solutions table when the Vulnerability Solution Management plugin is activated, improving solution tracking and remediation guidance.

    Roles and Permissions

    Several roles govern access and actions within the integration, including:

    • snvulr7.admin: Full read, write, and delete permissions on integration records.
    • snvulr7.user: Read and write access.
    • snvulr7.read: Read-only access.
    • Additional roles for configuring the integration and managing Vulnerability Response administration are also used.

    Practical Considerations for ServiceNow Customers

    • Run scheduled jobs in the prescribed order to maintain data integrity.
    • Avoid simultaneous use of Rapid7 data warehouse and InsightVM sources to minimize duplicate data, or apply deduplication when migrating.
    • Use CI lookup rules to ensure vulnerabilities are accurately associated with CIs for effective tracking and remediation.
    • Leverage the Discovered Items module and host tags to gain visibility into asset scanning status and improve remediation targeting.
    • Enable reopening of resolved vulnerabilities if rescans indicate ongoing issues, preventing silent risk persistence.
    • Consider enabling the Vulnerability Solution Management plugin to benefit from enhanced solution tracking integrated with Rapid7 data.

    The ServiceNow® Rapid7 Vulnerability Integration uses data imported from the Rapid7 data warehouse or the Rapid7 InsightVM products to help you determine the impact and priority of potentially malicious threats.

    Rapid7 Nexpose sensors collect data and automatically send it to the Rapid7 data warehouse (on-premise) or Rapid7 InsightVM (cloud-based) products, which continuously analyze and correlate the information. It easily integrates with ServiceNow® Vulnerability Response to map vulnerabilities to CIs and services. The Rapid7 Vulnerability Integration enriches the vulnerability data on your instance.

    Rapid7 integrations are entry points interacting with the Rapid7 data warehouse or Rapid7 InsightVM products, invoked as scheduled jobs. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems. The scheduled jobs are run automatically and in the order specified. You can also execute individual scheduled jobs manually.
    Note:
    If you use both Rapid7 data warehouse and Rapid7 InsightVM as sources for your data, you run the risk of duplicate vulnerability records.
    Note:
    When migrating from the Data Warehouse integration type to the InsightVM type, you can deduplicate your existing data warehouse records. See Deduplicate Rapid7 Vulnerability Integration data warehouse records for more information.
    If you have multiple deployments of the Rapid7 InsightVM vulnerability integration, you can add an integration for each deployment. Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response.
    Note:
    You cannot delete the original vulnerability integration but you can disable it. Integrations created from disabled templates are disabled by default.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Available versions

    Release version for Yokohama Release Notes

    Rapid7 Vulnerability Integration v13.6, 13.7

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Roles

    Rapid7 vulnerability integration tasks involve the following roles.
    • sn_vul_r7.admin: Can read, write, and delete records.
    • sn_vul_r7.user: Can read and write records.
    • sn_vul_r7.read: Can read records.
    • sn_vul.configure_r7_integration
    • sn_vul.vulnerability_admin

    Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.

    Rapid7 Vulnerability Integration integrations

    To view the Rapid7 Vulnerability Integration, navigate to Rapid7 > Administration > Integrations.

    The following integrations are included in the base system.

    Table 1. Rapid7 data warehouse integrations
    Integration Description
    Rapid7 Vulnerability Integration Retrieves vulnerability data from Rapid7 Nexpose and processes it in your instance.
    Rapid7 Asset List Integration Retrieves scan data once a week from Rapid7 Nexpose data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
    Rapid7 Category Integration Retrieves category information from Rapid7 Nexpose. Categories provide high-level classification for vulnerabilities.
    Rapid7 Exploit Integration Retrieves exploit information from Rapid7 Nexpose.
    Rapid7 Malware Kit Integration Retrieves malware kit information from Rapid7 Nexpose.
    Rapid7 Reference Integration Retrieves references to external authority documents such as CVEs or vendor-specific vulnerability references.
    Rapid7 Solution Integration Retrieves solution data from Rapid7 Nexpose, which provides recommended solutions to specific vulnerabilities.
    Rapid7 Superceding Solution Integration Retrieves information about which solutions are superseded by other solutions.
    Rapid7 Prerequisite Solution Integration Retrieves information about the solutions that are prerequisites for other solutions. When this integration executes, it fetches the mapping of solutions and prerequisite solutions from the Rapid7 data warehouse.
    Note:
    This integration works only if the Vulnerability Solution Management plugin is activated.
    Rapid7 Vulnerability Solution Map Integration Retrieves the mapping to associate solutions with vulnerabilities.
    Rapid7 Vulnerable Item Integration Retrieves vulnerable item data from Rapid7 Nexpose and processes it in your instance.

    The outputs of this integration are vulnerable items.
    Rapid7 Vulnerable Item Resolution Integration

    Retrieves information about which vulnerable items are marked closed in Rapid7 Nexpose and closes the corresponding vulnerable items in Vulnerability Response.
    Rapid7 Site Integration Retrieves Site data from Rapid7 Nexpose. A site is a collection of assets that are targeted for a scan.
    Rapid7 Asset List Integration Retrieves host tags and scan data once a week from the Rapid7 data warehouse and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response
    Rapid7 Comprehensive Vulnerable Item Integration Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
    Table 2. Rapid7 InsightVM integrations
    Integration Description
    Rapid7 Vulnerable Item Integration — API Retrieves vulnerable item data from Rapid7 InsightVM and processes it in your instance.
    Rapid7 Vulnerability Integration — API Retrieves reference, category, exploit, malware kit, and vulnerability data from Rapid7 InsightVM and processes it in your instance.
    Rapid7 Asset List Integration - API Retrieves host tags and scan data once a week from Rapid7 InsightVM and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time in the Discovered Items list in Vulnerability Response.
    Rapid7 Comprehensive Vulnerable Item Integration - API Imports all the Rapid7 detections for all configuration items scanned since the last successful integration run. Based on the most current imported data, vulnerable items not recently found during scans are automatically transitioned to ‘Closed’ when the Auto-Close Stale Vulnerable Items module is enabled.
    Rapid7 Site Integration Retrieves Site data from the Rapid7 InsightVM product. This integration is set to run weekly at 00:00:00.

    During import, CVE records not already present are created as NVD records and referenced in third-party entries for Rapid7 by default. The template integration for Rapid7 cannot be deleted. Disable it instead.

    The Service Graph Connector for Rapid7

    Beginning with version 2.0, the Service Graph Connector for Rapid7 is available from the ServiceNow® Store. See Service Graph Connector for Rapid7 for more information.

    CI Lookup Rules

    CI Lookup Rules determine how to fill in the Configuration item field in a vulnerable item record.

    For more information on how CI lookup rules work, see CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations.

    To create or edit lookup rules, see Create a Vulnerability Response CI lookup rule.
    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

    Discovered Items

    This module lists configuration items detected during import from the Rapid7 Vulnerable Item Integrations (data warehouse or InsightVM API) and the Rapid7 Asset List Integration - API. The Rapid7 Asset List Integration - API imports all Rapid7 assets scanned for vulnerabilities since the last integration run. The Rapid7 data warehouse Asset List Integration is included.
    Note:
    The default filter for this list is set to Unmatched. You can view all discovered items from an import by removing the filter.

    See Discovered Items in Vulnerability Response for more information on the Discovered Items module.

    Host tags

    Host tags are imported as part of the Rapid7 Asset List Integration - API integration for Rapid7 InsightVM. They are used primarily for filtering in Vulnerability Response Assignment and Remediation Task Rules in Rapid7 InsightVM. They are displayed in the Discovered Item form.

    Host tags
    Note:
    The Rapid7 Asset List integration - API integration should be run prior to creating Assignment or Remediation Task Rules in Vulnerability Response so that all tags can be present in the rules and before vulnerable items are imported and grouped.
    • Tag storage is not case-sensitive. If a San Diego tag is created, then a SAN DIEGO tag cannot be stored in the Host tag table. “San Diego” and “SAN DIEGO” are considered to be the same host tag. Whichever tag was imported first wins.
    • Using host tags as a Group Key in a Remediation Task Rule can have unexpected results. Host tags are intended for use only in the Condition builder.
    • Host tags are controlled by the global system property sn_vul.import_host_tags. This property is set to true by default. Turning tags off turns them off across all instances.

    Sites

    A site is a collection of assets targeted for a scan. A site consists of target assets, a scan template, one or more Scan Engines, and other scan-related settings such as schedules or alerts. Sites are managed by Rapid7 applications.

    Rapid7 Vulnerability Integration site filtering during configuration allows you to categorize and request assets by site during import. See Filtering by Rapid7 sites for more information on filtering imports.

    The Rapid7 data warehouse and Rapid7 InsightVM Sites integrations import sites as a weekly scheduled job.

    To view the imported sites in a list, navigate to Rapid7 > Sites.

    Reopen resolved vulnerable items not closed by scans

    Vulnerable items set to 'Resolved' in your ServiceNow AI Platform instance but not transitioned to 'Closed/Fixed' by the subsequent integration runs are reopened if they are detected during rescans.

    For Rapid7 detections, an option is now available on the Rapid7 configuration page in your instance to reopen resolved VIs by age. If enabled, VIs set to 'Resolved' but then not transitioned to 'Closed/Fixed' by subsequent scans transition back to 'Open' after the number of days you enter.

    Create CIs using the Identification and Reconciliation Engine (IRE)

    You can use the Identification and Reconciliation Engine to create new CIs when an existing CI cannot be matched with a host imported from a third-party scanner. Enable the CMDB CI Class Models plugin to create CIs using the new classes, otherwise unmatched CIs are created in the Unmatched CI classes. For more information, see Creating CIs for Vulnerability Response using the Identification and Reconciliation engine. For more information on how to configure the categorization of unmatched cloud resources into your preferred CI class, see Updating CI class for unmatched cloud assets.

    Rescan vulnerable items

    Initiate rescans in the Rapid7 platform to verify that your vulnerable items have been remediated between scheduled scanning cycles. See Initiate rescan for the Rapid7 Vulnerability Integration.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Rapid7 solution management

    If you have activated the Vulnerability Solution Management plugin, then the Rapid7 solutions for both Rapid7 data warehouse and Rapid7 InsightVM get populated in the Vulnerability Solutions [sn_vul_solution] table. However, if you have not activated the Vulnerability Solution Management plugin, then Rapid7 Vulnerability Integration works as is and imports the solutions in the custom [sn_vul_r7_solution] table. For more information, see Rapid7 solution management.